wgengine/filter: add protocol-agnostic packet checker (#10446)

For use in ACL tests, we need a way to check whether a packet is allowed not just with TCP, but any protocol. Updates #3561 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2024-11-29 04:55:31 +00:00 · 2023-12-02 16:30:33 -06:00 · 2023-12-02 16:30:33 -06:00 · 263e01c47b
commit 263e01c47b
parent c85532270f
1 changed files with 13 additions and 5 deletions
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@ -300,9 +300,9 @@ func (f *Filter) logRateLimit(runflags RunFlags, q *packet.Parsed, dir direction
 	0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
 }

-// CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort
-// is allowed.
-func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response {
+// Check determines whether traffic from srcIP to dstIP:dstPort is allowed
+// using protocol proto.
+func (f *Filter) Check(srcIP, dstIP netip.Addr, dstPort uint16, proto ipproto.Proto) Response {
 	pkt := &packet.Parsed{}
 	pkt.Decode(dummyPacket) // initialize private fields
 	switch {
@ -319,12 +319,20 @@ func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response {
 	}
 	pkt.Src = netip.AddrPortFrom(srcIP, 0)
 	pkt.Dst = netip.AddrPortFrom(dstIP, dstPort)
-	pkt.IPProto = ipproto.TCP
-	pkt.TCPFlags = packet.TCPSyn
+	pkt.IPProto = proto
+	if proto == ipproto.TCP {
+		pkt.TCPFlags = packet.TCPSyn
+	}

 	return f.RunIn(pkt, 0)
 }

+// CheckTCP determines whether TCP traffic from srcIP to dstIP:dstPort
+// is allowed.
+func (f *Filter) CheckTCP(srcIP, dstIP netip.Addr, dstPort uint16) Response {
+	return f.Check(srcIP, dstIP, dstPort, ipproto.TCP)
+}
+
 // CapsWithValues appends to base the capabilities that srcIP has talking
 // to dstIP.
 func (f *Filter) CapsWithValues(srcIP, dstIP netip.Addr) tailcfg.PeerCapMap {